We use cookies to ensure that we give you the best experience on our website. By
continuing to browse, we are assuming that you have no objection in accepting cookies.
You can change your cookie
settings at any time.

Firewall settings

This section allows you to define how the Firewall engine manages traffic on your computer when connected to a network. It also provides advanced module customization options which allow you to set the module to match your own security needs or your network configuration.

Firewall: allows you to enable or disable the Firewall engine.

Subnets: provides access to the list with networks to which your computer connects.

Security: allows you to customize the Firewall attack detection system and add trusted hosts that will be exempted from this check.

Logging: defines the event types that will be logged by the Firewall.

Alerts: allows you to specify how the security alerts and event notification will appear.

Subnets section

To enhance the security provided by the Firewall, you will be able to set up a range of trusted networks (it will work for the Local Area Networks) so that the application will better filter the traffic and block potentially dangerous connections.

Select the networks that you trust: this option is closely related to the Application - Advanced and Low level rules, because through those rules the Firewall will manage any network traffic. Therefore, it will allow traffic for the computers that are a part of a trusted network, while denying access to specific ports or connection types to all other computers outside trusted networks.

Setting up trusted subnets will help prevent attacks such as MAC/IP spoofs and will stop computers impersonating DNS/Gateway servers from establishing a connection to your computer.

BullGuard will automatically detect any new network settings and once the computer has connected to that network, it will add it to the trusted networks list. The network will be visible in the Trusted Subnets list. In that section, you can see each network adapter that is currently operational on the computer and its associated networks.

As long as a network is ticked, the Firewall will view it as a trusted network. If you un-tick it, the Firewall will list it as a mistrusted LAN.

To add a specific subnet, click the + button and enter the specific details for that network. Click OK to save the new subnet.

You must know the correct IP address and subnet mask to enter in the two fields in order to add the proper LAN. If either the IP or the subnet mask is wrong, another subnet will be added. If you are unsure about the correct details, we recommend you ask a system administrator.

The best way to get the details right is to check what the Gateway server IP address and subnet mask are. If the details look like 192.168.1.1 with 255.255.255.0 as mask, it is advisable to use the following IP and subnet mask: 192.168.1.0 with 255.255.255.0 as mask.

Security settings

The information present in the Security tab is directly related to the network attack protection offered by the BullGuard Firewall. The options in this tab will provide you with means to customize the Firewall attack detector to your network’s specifications.

Continue to apply Firewall rules when BullGuard is closed: This will enable the Firewall to function when the main application is closed. Note that this can cause issues with applications which are not in the Application list trying to access the network.

Because BullGuard is shut down and only the Firewall engine is running in the background, there will be no user interface loaded and no visible Firewall pop-up questions.

As you only have a limited period of time to answer the pop-ups and you won’t be able to see them on account of the interface not being loaded, the Firewall will take the default action and block the programs that don’t appear in the Application list. Of course, if you have a well-defined application list, then the Firewall will not block necessary applications.

Enable attack detection: Will enable or prevent the BullGuard Firewall from blocking network attacks. We recommend you to keep this option enabled at all times.

Detect when programs get modified: This feature will enable BullGuard to see when a program from the Application list has been modified. Therefore, it will ask you whether to keep allowing or to block the application.

This option is extremely useful as it will prevent hijacked applications from connecting to the internet without your consent. It works best in conjunction with the real-time scanning module from the Antivirus, by creating security layers that maximize the computer’s safety.

Also, the Firewall will detect when an application is trying to modify a program connecting to the internet and will ask you whether to allow it or not. You should be aware that software updates can modify executable files (such as the periodic Windows updates) and in such cases, you should keep allowing the modified files.

Attack Detection

The attack detection system is the heart of the Firewall.

Attack detection settings

BullGuard will block a wide variety of network attacks. However, due to specific network requirements and equipment configurations, some information received from the internet might trigger a 'false positive’ attack warning. This is why you can edit the Firewall attack parameters to match your network’s characteristics.

Configure button for Detect Port Scans, Single Port Scans and Denial-of-Service attacks: allows you to edit the sensitivity level of the Firewall for these types of attacks.

Configure advanced ARP protection settings: allows you to edit the sensitivity level of the attack detector for ARP scans.

Exclude trusted hosts from attack detection: all IP addresses listed in the trusted hosts list will be exempted from the attack detector checks.

Ban intruders for (seconds): for each detected attack, you can set the Firewall to ban the source IP for a specified amount of time.

Attack types

Detect port scans: allows the Firewall to detect port scans, which are not actually attacks, but a common action preceding an attack - an attempt to see what ports are open on your computer.

Single port scan attack: A type of attack that tries to see what ports are open on the target computer. Not an attack by itself, but a common action preceding an attack.

Detect Denial of Service (DoS) attacks: allows the Firewall to detect and prevent an attack that will render network services and resources unavailable to their intended users. There are various means through which DoS or DDoS (Distributed Denial of Service attack) occur: Teardrop attacks, ICMP attacks, Nuke attacks, distributed attacks. And there are some tell-tale signs of these attacks: low network performance, inability to access network resources (servers, printers, shared files, network tools/applications), low computer performance. In some cases, DoS attacks cause high CPU activity, making the operating system crash.

Detect IP Address stealing: Will protect your computer from attackers who could duplicate IP addresses from the network in order to cause operating system hangs or crashes. They could also deny the victim computer access to the network resources or services by sending false ARP packets by which they would actually steal “the identity” of the attacked computer.

Detect ARP scan: allows the Firewall to detect ARP scans, by which an attacker posing as another computer/server tries to trick the target into sending it information. This type of attack generates delays in data transmission or a denial of service on the affected equipment because of the ARP spoofing. Important and sensitive data (chat sessions, e-mails) can be intercepted this way.

Fragmented-ICMP attack: the Firewall will detect any attacker trying to send ICMP packets that are fragmented in an attempt to bypass security measures.

Fragmented-IGMP attack: the Firewall will detect any attacker trying to send IGMP packets that are fragmented in an attempt to bypass security measures.

Short-fragments attack: makes sure the Firewall detects the types of packets used in DoS attacks. The packets are intentionally modified to have a smaller size than regular packets so that they will go undetected by security systems (hardware or software Firewalls).

Overlapped-fragments attack: the Firewall will prevent attackers from sending fragmented packets that have information overlapping each other in hope to weaken the system and make it vulnerable to an attack. Usually, this kind of procedure is used in Teardrop attacks.

WinNuke attack: this option will protect your computer against an attack sending an OOB (Out of Band) packet which would result in a computer lockdown and a BSOD (Blue Screen of Death). This attack would not damage any data from the computer disk, but it would cause the loss of any unsaved data prior to the attack. This kind of attack was specific to early Windows versions (Windows 95, old NT versions and Windows 3.11).

Teardrop Attack: enables the Firewall to prevent attackers from sending custom resized fragments that overlap each other. An exploitable bug in the TCP protocol generated a bad handling of such packets. It is an attack specific to Windows 3.11, 95 and old version of Windows NT and Linux.

Nestea Attack: protects your computer from a Linux specific network attack similar to Teardrop attack. This type of attack would exploit the network packets defragmentation bug from older version of Linux.

Ice Ping Attack: this option allows the Firewall to detect if Windows mishandles ICMP packets split into a large number of small fragments. Usually the computer crashes when assembling the smaller packets.

OpenTear Attack: the Firewall will keep your computer safe from a type of attack using random spoofed IPs to flood random ports from the target computer with random fragmented UDP packets that will cause operating system crashes on Windows 95, 98, NT 2000.

IGMPSYN Attack: enables the Firewall to handle this common denial-of-service technique.

Malformed IP Options: the Firewall prevents attackers from sending a packet with a large IP Options field that generates a buffer overrun in the TCP/IP stack. This results in the possibility to run malicious codes on the target computer and increased network activity slowing the network traffic to a crawl.

Moyari13 Attack: protects your computer from ICMP-type attacks through which the attacker sends an illegal ICMP time-stamp. Upon receiving this packet the computer crashes (the network stops responding). It is used against Windows 95/98.

FAWX Attack: enables the Firewall to prevent a type of IGMP denial of service attack that would freeze operating systems like Windows 95, 98 or NT.

KOX Attack: this option allows the Firewall to detect a type of IGMP denial of service attack that would freeze operating systems like Windows 95, 98 or NT.

Attack detection parameters

This section allows you to fine-tune the sensitivity of the Firewall regarding the attack warning triggers for Port Scans, Single Port Scans and Denial-of-Service. This works as follows:

The more sensitive the Firewall, the faster an attack warning will pop up and the attacker IP will be banned for the default ban period (300 second), although this may increase the chances of 'false positive' attack detection.

The less sensitive the Firewall, the longer it takes for an attack warning to be triggered and the 'false positive' rate is close to zero. However, a too lax security can jeopardize the computer integrity.

The default setting of the Firewall will provide a balance between a tight security system and a low rate of false positive detection and almost no network traffic hampering. Due to the continuous network traffic filtering, you can expect the connection speed to be a little slower. However, in case of major speed differences, we advise you to contact the BullGuard Support Team.

The port scan attack warnings are triggered based on scores. The ports are designated a specific weight (importance) that will determine their sensitivity. A port scan attack will be triggered when a specific scoring (the default or the user set value) is reached.

This method presents advantages as it will make the Firewall customizable so that you can set it up in order to avoid false positive attack detections.

By default, the ports have specified values in the attack detector. An open port has 0 weight (importance) as no one can be accused of illegal port scanning when this is targeting such ports (even some websites can do fast port scan on the user computer’s for data transfer for example). A closed port (the Firewall will keep sensitive ports closed or in stealth mode) has 1 for weight (importance), or more. Usually, all unused ports are kept closed by the Firewall.

The attack warning is triggered based on a time limit and on the total score over the specific time limit.

Time limit: If the conditions are satisfied over a predetermined period of time, the warning message is triggered. The default is 600 ms, but you can chamge it.

Scoring: When a computer/server scans 6 closed ports in less than 600 ms, the action is considered to be malicious and the port scan warning is issued. When port scans occur from a computer/server, the Firewall will check whether the ports are open or closed and make a sum of the added weight of the scanned ports. If the grand total will exceed the default weight (6), the port scan warning is triggered.

When configuring the attack detection parameters, you will have the opportunity to set custom values for sensitive ports to which BullGuard will pay more attention. Basically, this means that if an attack targets any of the designated sensitive port, the warning is triggered sooner and the attacker is blocked faster.

To edit the sensitive ports list, simply click on the Configure button from the attack parameters editing window.

To add a new port to the list, click on the + button, select the protocol type, enter the port number and assign it a weight (importance) value.

Configure advanced ARP protection settings

This feature allows BullGuard to detect attacks by compromised computers or servers and further enhances the computer security level.

Block unsolicited ARP packets: This is another security feature that will block all potentially dangerous ARP traffic packets that have not been previously requested by any application from your computer. Usually, unsolicited ARP packets are sent by infected computers or by attackers who are impersonating servers or other computers from your network and are trying to trick the computer into opening communication ports.

Protect against hijacked gateways: Will protect you against compromised Gateway servers.

Protect against IP address duplication: When a new IP address is set for a computer in a network, the computer will broadcast this information on the network. BullGuard will read such traffic and if the IP address is exactly the same with the IP on your computer it will block the information packets. Some operating systems will ‘hang’ when trying to read those traffic packets and BullGuard will prevent the information to reach the operating system to be decoded.

Detect when applications are modified

This feature will enable BullGuard to see when a program from the Application list has been modified and will ask you whether to keep allowing or blocking the application. This option is extremely useful as it will prevent hijacked applications from connecting to the internet without your consent. It works best with the real-time scanning module from the Antivirus engine, creating security layers maximizing the computer’s safety.

Also, the Firewall will detect when an application tries to modify a program connecting to the internet and will ask you whether to continue to allow it. You should be aware that software updates can modify executable files (such as the periodic Windows updates) and, in such cases, you should keep allowing the modified files.

Logging section

The Logging tab offers options about the information the Firewall will display in the Firewall logs, both in the application and in the log files created on your computer.

TCP Logging

Log TCP connection (creation, termination): will create an entry in the Firewall log stating that a TCP connection has been created - enabled by default.

Resolve network items (remote hosts, ports): with this function enabled, the Firewall will try to read the network name of the specific network item such as computer name (this will work only if the PC/network will allow it or if a network name has been set).

Default settings

The logging options will be reverted to the default options.

Alerts section

The Alerts settings will help you configure the Firewall messages and pop-up screens, their frequency and how they are displayed on the screen.

If I don’t answer within a few seconds, apply an automatic answer: the Firewall notification pop-ups have a standard timeout of 20 seconds during which you can choose whether or not to allow the program access to the network. After the timeout expires, the Firewall will apply the predetermined action which by default is to block the application. You can change the default action to allow it if there is no answer within the time limit.

Notify me when a program is automatically granted internet access: will display a Firewall pop-up message each time an application has been automatically allowed to connect to the network based on the known application list.

Display a security alert and close it after a few seconds: when this option is enabled, a Firewall notification message will appear informing you of any security event. The notification pop-up will disappear after the default 30 seconds.

Play an audio file: will use the Windows predefined or user defined sounds whenever a Firewall notification window will appear.

Notify me when network changes are detected: will display a Firewall pop-up message about any network change registered by the Firewall.